hxxps://cdn[.]discordapp[.]com/attachments/1207108878655946783/1250201681208279162/New_WinRAR_ZIP_archive[.]zip?ex=666a148c&is=6668c30c&hm=bf748d8fd08bd752a2df5e8592d55f4a01a991899a77d7d616c87d82e732c3d9&

Analysis

max time kernel
60s
max time network
55s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/06/2024, 21:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1207108878655946783/1250201681208279162/New_WinRAR_ZIP_archive.zip?ex=666a148c&is=6668c30c&hm=bf748d8fd08bd752a2df5e8592d55f4a01a991899a77d7d616c87d82e732c3d9&

Score

3^/10

pyinstaller

Malware Config

Signatures

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000900000001aa42-66.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626153268128600"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4604	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3440	chrome.exe
3440	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4924	3440	chrome.exe	72
PID 3440 wrote to memory of 4924	3440	chrome.exe	72
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 524	3440	chrome.exe	74
PID 3440 wrote to memory of 3032	3440	chrome.exe	75
PID 3440 wrote to memory of 3032	3440	chrome.exe	75
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76
PID 3440 wrote to memory of 4992	3440	chrome.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1207108878655946783/1250201681208279162/New_WinRAR_ZIP_archive.zip?ex=666a148c&is=6668c30c&hm=bf748d8fd08bd752a2df5e8592d55f4a01a991899a77d7d616c87d82e732c3d9&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff994079758,0x7ff994079768,0x7ff994079778
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:2
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5668 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5872 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6068 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3872 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6192 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6100 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5424 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4704 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1548 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5332 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5840 --field-trial-handle=1820,i,17664581123783157446,14717293017064767416,131072 /prefetch:8
  2⤵
  PID:2636

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1048

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_New_WinRAR_ZIP_archive.zip\New Text Document.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\64c8e33b-2c12-4d43-853f-d3d420be5845.tmp

Filesize
136KB

MD5
d6e2f06ea57223e1d569b77da13cc807

SHA1
1f7bf01f8887250c6dd10e1889c573bfc45a1434

SHA256
63a66c39a90e738bf003b4f7837df5fb4e873e415355560016408493213ca20c

SHA512
4879d1b0d4530d939512aacf7deb00e17991a5105a315a81da83d209c9ffe2df1c6bb2e1ff005693f8aa8f138cfc4c4013ec6a1b1a71d0ce8205ebc05b8a9331

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
150302e0092b82243045c82b64132567

SHA1
55f117ae9aac7285acd80d351e0c1a3a9becc238

SHA256
6d65648378fb50dcb8ff9b096c047c4cb3bf1383192806d0799630b55f404572

SHA512
bb01813461e2cbc44692c83d06e9754015717b9e0353dc280df1b427db93e1ee6eadfc7dfdc55f219d916b65095dd13b1a1f9b1e350c83282003ce956bd623a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
4262c50b72bd6f06b21648624b41f466

SHA1
c3efcebd4ef42e1a3edc86adbd62cd386a62c07b

SHA256
eb5055eb4bfb0991de3be64b48ef9799056614bfba30471ba5624f12d8fe50f8

SHA512
4b7295eebcd7b2519db8976821b7eb69c5c45ffbe9de3c4344839e3db2f8d270b00063e53df8e24d9a24f4617fb3eaa895627ac613a372a2d6e15c0a30a554a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ed1079820ab336288259f2636613e4c3

SHA1
84fe66fbe0a0d837eb60ad6c22890307ff10b4b5

SHA256
d3c178e4e2803a6256d509ea013c2d4a2f9f73fe52e837b303ac5c562906187e

SHA512
10ee64540206d3130047f7d92ef430c3c80a0179817c4837e83450041e631d4dce9435ab2c1899ff632a07797e67835b9c10bd71bf815afb1f0b4a1bac55bb9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bd5c7c08cc4d18460cee4ddf050897e7

SHA1
a32baf42aff2978324a0efd25c317c643eb02499

SHA256
b461cc8ff06267a215a927588dfc6b3b6ef56a718c9baed63f27f21e6496735c

SHA512
1dd97c873d7bc41ab9830f7aacf892c2534a462368354a32a6139b9de20048b856febcf875c63099d1cf7b1082f6787c64d708a227d527870e411c9ef89c0c2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
44b3973b1d88e88ae18c10b4838b14f1

SHA1
191d325a68f7a8ea4f9ed5f11485b793af70f079

SHA256
e09e4d54196a5549505f8bf846da67afb7ea7099c31f72b081bfed579ceb4dd2

SHA512
974a77f903672a48f12369d5b3b76148b914151e7216ad2e56a1acd27557b38a3a97a9c806ce1ce72ec187e586a70d324a0c5d64d28989d32e2dd97f1da3d6cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e479260fd24639894999a1bfab08aba9

SHA1
e4e3ce3adf7c9679ff72a0ccd1a152fc19f36393

SHA256
f68253b83e92d5954b29da9f6472345b51b8a2976a4ebe6a4273728a2022be36

SHA512
421ddc5cf485caf94ed8ca6084bc7703cb215407f8c2215c1abc441dafbd5a34a1f41e6df3b9e81270bfbd8801b1d9aed2dbe2596a127e4104d0dcdbf1bf0ad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
ee31ed9e1d8c61da9c8c518029791e05

SHA1
2bfbad01e479999de71c7b34541bc2b45fe39698

SHA256
b19d2d12000ec2883acae789753eba973b9191ae0877f7c647b718281807015a

SHA512
f6782950de2a5211ed0b0ac0ffcdf7793f09d3096b70c1d97aae19f12b8d4448c3e2ef0fed244d74c783c3d1b932a1be7d23308e217d3c13b4d36cfb6e310193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
e589d1cbe579ac5ff3be4024006bb756

SHA1
b46db249b6a9450882f34feef5d09ab26173a8c7

SHA256
f40f4d996a1b60f0545789bf506468b5a1110dbc67574f5a86082f8c273ca7c2

SHA512
2bf75605a6bfb25525dfac8b8719e38a86c8e15e19b5b062b33c703657565e1a6b6b4275c5b8abd753fc7745fe5dec9af3867929bcd1da0e9775c82613951022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Eulen_Bypass.exe

Filesize
17.7MB

MD5
401d547f7a65ffff15a0cac4872262c5

SHA1
6ec92d049bad03745cfda31b6e74262f34bf05d6

SHA256
106ab53f83538b9b89d453c1f19d94ee69f1964e266fb275b1e89adbff2965d0

SHA512
a875e2b1743d7e83f9921c4ff0fa926b68a73aa24cd6b90bf438979cfbb694d37dead9e85f6484cd542ed145b494cf23331af25626d0097ccb8f80be7dbc69ad

Download Submit
C:\Users\Admin\Downloads\New_WinRAR_ZIP_archive.zip

Filesize
407B

MD5
1ab3aa5cbee1e601ed96b459d9f43356

SHA1
d3ec4ed775eb6e26c53746deaaf72b3cd12b6ed5

SHA256
83c363b0c9484f4665acb87f693c6b792e038ef43042b3664265ab4e4425a01e

SHA512
9fb3a263d919b357ed2e83975478b2139ac217f8a70adfd02df7569c90603d3fc87c0bfdb619aa1f26e9c39db1cc61bf86da2ca864394d499e1e25b32a691635

Download Submit
C:\Users\Admin\Downloads\lifetime-cracked-eulen-loader.exe.crdownload

Filesize
6.0MB

MD5
f5b3e44d85b08935324f5d0a8a8ef765

SHA1
23afed2fd75726cd4962c0f434c8ddb18dc4bc2a

SHA256
ba9b2f5e503d60424f6ace5bdd22d827d704341d68eb358e8ff629210d56b635

SHA512
694685b8bf0d023c22de742d66d32685f9451055ed595b876ca4ba367ed422566efc2c547f9dab4a97d31d98c7d8663be946d6c2c996ed21c7ba6b124cac307b

Download Submit